From fe9372eceb0eba77635549ed4ddcd56040186fbf Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 11 Sep 2018 11:21:40 +0200 Subject: [PATCH] Add support for native TLS encryption on NBD for disk migration The NBD protocol previously runs in clear text, offering no security protection for the data transferred, unless it is tunnelled over some external transport like SSH. Such tunnelling is inefficient and inconvenient to manage. Support for TLS to the NBD clients & servers provided by QEMU was added. In tls-everywhere use case we want to take advantage of this feature to create the certificates and configure qemu to use nbd tls. Closes-Bug: 1793093 Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110 Depends-On: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45 Depends-On: I347881cf4822583179c0c042c42fa1e33dbcedd2 Change-Id: I7d9df304d75bdbe36ecdfe50e5ce6b42a53063cc --- docker/services/nova-libvirt.yaml | 71 ++++++++++++++ puppet/services/certmonger-user.yaml | 4 + puppet/services/nova-libvirt.yaml | 92 +++++++++++++++++++ ...d_for_disk_migration-2e16003c4764a399.yaml | 12 +++ 4 files changed, 179 insertions(+) create mode 100644 releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 719cde2b80..2492eb9dce 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -85,11 +85,21 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. + UseTLSTransportForNbd: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt NBD and configure the + relevant keys for libvirt. InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + InternalTLSNbdCAFile: + default: '/etc/pki/qemu/ca-cert.pem' + type: string + description: Specifies the CA cert to use for NBD TLS. InternalTLSVncCAFile: default: '/etc/pki/CA/certs/vnc.crt' type: string @@ -116,6 +126,16 @@ parameters: the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO's default CA, which is FreeIPA. It will only be used if internal TLS is enabled. + LibvirtNbdCACert: + type: string + default: '' + description: This specifies the CA certificate to use for NBD TLS. + This file will be symlinked to the default CA path, + which is /etc/pki/libvirt-nbd/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSNbdCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. VhostuserSocketGroup: default: "qemu" description: > @@ -186,6 +206,20 @@ conditions: - {get_param: QemuMemoryBackingDir} - '' + use_tls_for_nbd: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForNbd} + - true + + libvirt_nbd_specific_ca_unset: + equals: + - {get_param: LibvirtNbdCACert} + - '' + docker_enabled: equals: - {get_param: ContainerCli} @@ -277,6 +311,14 @@ outputs: merge: true preserve_properties: true - null + - if: + - use_tls_for_nbd + - + - source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem + dest: /etc/pki/libvirt-nbd/ + merge: true + preserve_properties: true + - null permissions: list_concat: - @@ -295,6 +337,19 @@ outputs: owner: root:qemu perm: '0640' - null + - if: + - use_tls_for_nbd + - + - path: /etc/pki/libvirt-nbd/client-key.pem + owner: root:qemu + perm: '0640' + - path: /etc/pki/qemu/server-key.pem + owner: root:qemu + perm: '0640' + - path: /etc/pki/qemu/ca-cert.pem + owner: root:root + perm: '0644' + - null /var/lib/kolla/config_files/nova_virtlogd.json: command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf config_files: @@ -403,6 +458,22 @@ outputs: params: MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]} - null + - + if: + - use_tls_for_nbd + - + - str_replace: + template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro" + params: + CACERT: + if: + - libvirt_nbd_specific_ca_unset + - get_param: InternalTLSNbdCAFile + - get_param: LibvirtNbdCACert + - /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro + - /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro + - /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_4: diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml index 89bb5a1c71..ba9a488a30 100644 --- a/puppet/services/certmonger-user.yaml +++ b/puppet/services/certmonger-user.yaml @@ -48,6 +48,9 @@ parameters: CertmongerVncCA: type: string default: 'IPA' + CertmongerQemuCA: + type: string + default: 'IPA' conditions: @@ -64,6 +67,7 @@ outputs: - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL} certmonger_ca: {get_param: CertmongerCA} certmonger_ca_vnc: {get_param: CertmongerVncCA} + certmonger_ca_qemu: {get_param: CertmongerQemuCA} - {} step_config: | include ::tripleo::profile::base::certmonger_user diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index 54d66f00d4..5694cd8b87 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -82,6 +82,12 @@ parameters: description: If set to true and if EnableInternalTLS is enabled, it will enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. + UseTLSTransportForNbd: + type: boolean + default: true + description: If set to true and if EnableInternalTLS is enabled, it will + enable TLS transaport for libvirt NBD and configure the + relevant keys for libvirt. InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -91,6 +97,10 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + InternalTLSQemuCAFile: + default: '/etc/pki/CA/certs/qemu.pem' + type: string + description: Specifies the CA cert to use for qemu. LibvirtCACert: type: string default: '' @@ -113,6 +123,16 @@ parameters: the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO's default CA, which is FreeIPA. It will only be used if internal TLS is enabled. + QemuCACert: + type: string + default: '' + description: This specifies the CA certificate to use for qemu. + This file will be symlinked to the default CA path, + which is /etc/pki/qemu/ca-cert.pem. + This parameter should be used if the default (which comes from + the InternalTLSQemuCAFile parameter) is not desired. The current + default reflects TripleO's default CA, which is FreeIPA. + It will only be used if internal TLS is enabled. MigrationSshKey: type: json description: > @@ -169,6 +189,19 @@ conditions: - {get_param: LibvirtVncCACert} - '' + use_tls_for_nbd: + and: + - equals: + - {get_param: EnableInternalTLS} + - true + - equals: + - {get_param: UseTLSTransportForNbd} + - true + + qemu_specific_ca_unset: + equals: + - {get_param: QemuCACert} + - '' resources: NovaBase: @@ -342,6 +375,58 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - {} + - + if: + - use_tls_for_nbd + - + nova::compute::libvirt::qemu::nbd_tls: true + nova::migration::libvirt::live_migration_with_native_tls: true + tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu' + tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd' + generate_service_certificates: true + tripleo::certmonger::ca::qemu::origin_ca_pem: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - get_param: QemuCACert + qemu_certificates_specs: + qemu-server-cert: + cacertfile: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - null + service_certificate: '/etc/pki/qemu/server-cert.pem' + service_key: '/etc/pki/qemu/server-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + qemu-nbd-client-cert: + cacertfile: + if: + - qemu_specific_ca_unset + - get_param: InternalTLSQemuCAFile + - null + service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' + service_key: '/etc/pki/libvirt-nbd/client-key.pem' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + principal: + str_replace: + template: "qemu/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + - {} step_config: | include tripleo::profile::base::nova::libvirt metadata_settings: @@ -360,3 +445,10 @@ outputs: network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} type: node - null + - if: + - use_tls_for_nbd + - + - service: qemu + network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + type: node + - null diff --git a/releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml b/releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml new file mode 100644 index 0000000000..282b7d40c8 --- /dev/null +++ b/releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml @@ -0,0 +1,12 @@ +--- +features: + - | + Add support for native TLS encryption on NBD for disk migration + + The NBD protocol previously runs in clear text, offering no security + protection for the data transferred, unless it is tunnelled over some + external transport like SSH. Such tunnelling is inefficient and + inconvenient to manage. Support for TLS to the NBD clients & servers + provided by QEMU was added. In tls-everywhere use case we want to + take advantage of this feature to create the certificates and configure + qemu to use nbd tls.